On Tue, Jun 24, 2008 at 3:44 PM, Axel Mendoza Pupo <[EMAIL PROTECTED]> wrote:
> When I said ServiceTicket I mean ServiceTicketImpl and it is no necesary > the use of CentralAuthenticationService those tickets are stored in > DefaultTicketRegistry so they are accesibles passing a service ticket value > to the getTicket(String ticketId) method of DefaultTicketRegistry. > so the expiration policy that never expire tickets is usefull, and the > behavior to expire ticket is external to any policy, and the global apps > timeout should be implemented as the descripteds topics before ServiceTicketImpl is the implementation of a ServiceTicket. And though they may be stored in a TicketRegistry, we've designed the system so that you're supposed to access everything through the CentralAuthenticationService interface. We've repeatedly stated you should not access the TicketRegistry directly. You should not set the NeverExpires policy on any ServiceTicket implementation. ServiceTickets are designed (by the protocol) to expire after a certain number of uses (1) or after a certain time has passed. Not expiring them introduces unecessary security risks into the system. -Scott > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > >
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
